Chinese Hackers Target UK Engineering Company: Report

Recent attacks on an engineering company in the United Kingdom were attributed to a China-related cyber-espionage group despite the use of techniques usually associated with Russian threat actors.

The hacking group, which is referred to as TEMP.Periscope and is also known as Leviathan, has been active for half a decade and was observed targeting engineering and maritime entities earlier this year. In July 2018, the group targeted the employees of a U.K.-based engineering company in a spear-phishing campaign, Recorded Future reports.

The attack also targeted an email address believed to belong to a freelance Cambodian journalist who covers local politics, human rights, and Chinese development. Both attacks used the infrastructure previously associated with TEMP.Periscope, while the group’s interest in the engineering company likely dates back to May 2017.

As part of this campaign, the group is believed to have reused publicly reported, sophisticated Tactics, Techniques and Procedures (TTPs) from Russian threat groups Dragonfly and APT28. The purpose of the attacks was to gain access to sensitive and proprietary technologies and data, the researchers presume.

The hackers likely used the scsnewstoday[.]com domain for command and control (C&C), the same domain that was recently abused in a TEMP.Periscope campaign targeting the Cambodian government. Furthermore, the actor sent spear-phishing emails from the Chinese email client Foxmail.

As part of the attack, the threat actor used a unique technique associated with Dragonfly to acquire SMB credentials and also appear to have been abusing a version of the open source tool Responder as an NBT-NS poisoner.

Using Foxmail, the state-sponsored Chinese threat actor sent spear-phishing emails containing two malicious links to the U.K. company on July 6, 2018. The first link was a “file://” designed to generate an SMB session, while the second was to a URL file also configured to create an outbound SMB connection.

The message claimed to arrive from a Cambodian reporter who was requesting information, but spelling and punctuation alerted network defenders at the victim organization.

The scsnewstoday[.]com domain used in the attack was previously used by TEMP.Periscope to deliver their AIRBREAK downloader. Also known as Orz, this JavaScript-based backdoor is controlled through hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

“Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor,” Recorded Future said in its report.

The DNS tunneler would communicate with a subdomain of thyssenkrupp-marinesystems[.]org, which was spoofing German defense contractor ThyssenKrupp Marine Systems. The domain was hosted by Netherlands-based HostSailor VPS IP 185.106.120[.]206, which also hosted an open directory containing the threat actor’s malware and tools.

Although TEMP.Periscope was first mentioned as a Chinese threat actor in October 2017, the group was using the same infrastructure to target the U.K. engineering company six months earlier. In November 2017, the same company was hit with an attack that abused the Microsoft Equation Editor vulnerability CVE-2017-11882 to deliver a Cobalt Strike payload.

Recorded Future, however, assesses with medium confidence that the Chinese threat actor is responsible for the attacks.

“It is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective,” the security firm says.